[
https://issues.apache.org/jira/browse/HADOOP-18030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17454189#comment-17454189
]
Larry McCay commented on HADOOP-18030:
--------------------------------------
Hi [~lalapala] - let's see how to unpack this...
1. The cookie has not expired - it is a persistent cookie and has a maxAge of
-1 which means it will persist until the browser is shutdown. It is also worth
noting that maxAge is not well supported anyway. So the continued use of the
cookie is valid and the acceptance of the cookie value is a decision of the
serverside that receives it.
2. The error that you are getting here isn't about it being expired. It is
indicating that the signerSecret used to sign the cookie value (signature in
the "s" attribute of the cookie's token) is not the one expected by the current
server side. This would likely be the effect of one of the following:
a. The signerSecret being changed out from under an existing token explicitly
and not properly synced across the various servers
b. the signer secret manager being configured as the random version and the
server being restarted which is a similar issue to #1
c. the cookie has been created for use with a different server side and the
secrets are purposely kept different for additional security concerns.
The above is the best that I can do without actually debugging it and/or
studying the code for the flow between the RM and TMS.
I don't believe this is an actual bug or issue that needs correcting at this
point. I don't recall the circumstances that allowed for a backward
incompatible change but it was done 6.5 years ago now and really can't be
considered incompatible anymore. :)
> Authentication cookie will never expire by default after HADOOP-12049
> ---------------------------------------------------------------------
>
> Key: HADOOP-18030
> URL: https://issues.apache.org/jira/browse/HADOOP-18030
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 3.1.0
> Reporter: gaozhan ding
> Priority: Major
> Attachments: image-2021-12-06-10-46-26-696.png
>
>
> Whlie create auth cookie for client, AuthenticationFilter will add "Expires"
> attribute for the cookie if needed. But after
> https://issues.apache.org/jira/browse/HADOOP-12049, it never enter the code
> block by default.
>
>
> {code:java}
> // AuthenticationFilter
> public static void createAuthCookie(HttpServletResponse resp, String token,
> String domain, String path, long expires,
> boolean isCookiePersistent,
> boolean isSecure) {
> //...
> //By default, isCookiePersistent = false
> if (expires >= 0 && isCookiePersistent) {
> Date date = new Date(expires);
> SimpleDateFormat df = new SimpleDateFormat("EEE, " +
> "dd-MMM-yyyy HH:mm:ss zzz");
> df.setTimeZone(TimeZone.getTimeZone("GMT"));
> sb.append("; Expires=").append(df.format(date));
> }
> //...
> }{code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
